IETF Logo Mail Archive

[BEHAVE] NAT64: Security issues with funny addresses

Simon Perreault <simon.perreault@viagenie.ca> Fri, 19 November 2010 20:41 UTC

Return-Path: <simon.perreault@viagenie.ca>
X-Original-To: behave@core3.amsl.com
Delivered-To: behave@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 38E613A68D9 for <behave@core3.amsl.com>; Fri, 19 Nov 2010 12:41:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.463
X-Spam-Level:
X-Spam-Status: No, score=-2.463 tagged_above=-999 required=5 tests=[AWL=0.137, BAYES_00=-2.599, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id z0onPI7xw3g8 for <behave@core3.amsl.com>; Fri, 19 Nov 2010 12:41:41 -0800 (PST)
Received: from jazz.viagenie.ca (jazz.viagenie.ca [IPv6:2620:0:230:8000::2]) by core3.amsl.com (Postfix) with ESMTP id 05CBE3A68D4 for <behave@ietf.org>; Fri, 19 Nov 2010 12:41:41 -0800 (PST)
Received: from ringo.viagenie.ca (unknown [IPv6:2620:0:230:c000:ac1c:9428:ce12:6866]) by jazz.viagenie.ca (Postfix) with ESMTPSA id 77A9321F23; Fri, 19 Nov 2010 15:42:30 -0500 (EST)
Message-ID: <4CE6E135.7040700@viagenie.ca>
Date: Fri, 19 Nov 2010 15:42:29 -0500
From: Simon Perreault <simon.perreault@viagenie.ca>
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.12) Gecko/20101103 Fedora/1.0-0.33.b2pre.fc14 Thunderbird/3.1.6
MIME-Version: 1.0
To: behave@ietf.org
X-Enigmail-Version: 1.1.2
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Cc: Jean-Philippe Dionne <jean-philippe.dionne@viagenie.ca>
Subject: [BEHAVE] NAT64: Security issues with funny addresses
X-BeenThere: behave@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: mailing list of BEHAVE IETF WG <behave.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/behave>, <mailto:behave-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/behave>
List-Post: <mailto:behave@ietf.org>
List-Help: <mailto:behave-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/behave>, <mailto:behave-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 19 Nov 2010 20:41:42 -0000

In draft-ietf-behave-v6v4-xlate-23, there is the following in the
Security Considerations section:

   There are potential issues that might arise by deriving an IPv4
   address from an IPv6 address - particularly addresses like broadcast
   or loopback addresses and the non IPv4-translatable IPv6 addresses,
   etc.  The [I-D.ietf-behave-address-format] addresses these issues.

I cannot find information on these issues in the referenced document
(nor in RFC 6052).

So what should implementors do? Block them?

It could be a major security issue in practice. Just thinking of this
makes me nervous:

$ ssh 64:ff9b::127.0.0.1

Simon
-- 
DTN made easy, lean, and smart --> http://postellation.viagenie.ca
NAT64/DNS64 open-source        --> http://ecdysis.viagenie.ca
STUN/TURN server               --> http://numb.viagenie.ca

v2.23.0 | Report a Bug | By Email